Advanced Cyber-Attack Claims Are Usually False, Overhyped

Many companies nowadays tend to claim they were the victims of an advanced persistent threat instead of admitting their security systems failed. As a result APTs have become overhyped.

When RSA
Security disclosed in February that a third party had breached its networks,
the company claimed that it had been hit by an advanced persistent threat.
Federal research facility Oak Ridge National Laboratory also blamed its recent
breach on an APT.
For both RSA
and Oak Ridge, the attacks turned out to be a spear-phishing attack. In both
cases, employees were tricked into opening the attached file that came with an
email that looked like it came from within their organizations.

Almost all
publicized and self-declared APT attacks this year have originated as spear
phishing, Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.
Spear phishing may not be a "glamorous" way of breaching the network, but it is
an extremely effective one, Ghosh said.

There is a
growing feeling among security researchers that organizations were using APT as
a convenient excuse when their network security has been breached. "The funny
thing here is that the malware used in most of the -APT' attacks we've seen
recently isn't really all that nefarious; it's just the new stuff on the
market," Ghosh said.
While APTs are
generally attacks that target sensitive data and are generally not
opportunistic attacks, Ghosh noted that the attack methodology is not advanced
at all. "Prey on the natural curiosities of the user; bank on the fact that
organizations are using antiquated technology; get the user to open up the door
to the network, establish residency, scan and move laterally-and all along the
way, duping one user after another," Ghosh said.
In the 2011
Data Breach Investigations Report, researchers from Verizon Business expressed
some concerns about "APT hysteria" that has swept the security industry. The
term's originators intended it to refer to allegedly state-sponsored attacks
from China, and others use it to describe any threat possessing "above average
skill and determination," Verizon researchers wrote.
However, it's
gotten to the point where thinking that "everyone is a target" of an APT has
led to "irrational fears about the boogeyman while common thieves clean you out
of house and home," according to the report.
"APT's are the
big bad wolf at the moment, and they've become a convenient cover for
post-attack disclosures," Gunter Ollmann, vice president of research at
Damballa, told eWEEK. Attackers have been conducting APTs for a decade, but the
victims didn't want to admit they'd been hit, Ollmann said. When Google
publicly admitted in January 2010 that it had been hit by Operation Aurora, this
type of attack was thrust into the spotlight. "Since then, it's become -okay'
to disclose whether your organization succumbed to an APT," Ollmann said.
In actuality,
organizations that think they are victims of APTs are really the victims of
"organized criminals, hacktivists, glorified script kiddies and their own
mistakes," the researchers wrote in the Verizon report.
Verizon's
report found that 78 percent of all incidents result in stolen bank card data.
Credit card numbers are not what attackers launching APTs are after, as these
"threat agents have more than money on their minds," the report said.
Most attackers
were not super-sophisticated state-sponsored cyber-criminals. With a lot of the
major cyber-criminals behind bars, the current crop of attackers tends to be
less sophisticated and relies on automated kits available online. The Verizon
report said only 3 percent of all incidents were so sophisticated they were
considered nearly impossible to stop.
"In many
cases, what is being called an APT is, in reality, just another cyber-crime
attack-motivated by the usual monetization and fraud aspects and using the same
tools," Ollmann said. Organizations need to focus on layered defenses and
regularly stay on top of basic security. They also need to work with
employees to better recognize phishing attacks.